Appl. No. 10/829,591 

Amdt. dated August 11, 2008 

Reply to Office Action of June 3, 2008 



This listing of claims replaces all prior versions, and 
listings of claims in the instant application: 

Listing of Claims; 

1. (Currently amended) A method comprising: 
stalling an attempt to reference an object; and 
determining whether an attempter that originated said 

attempt is authorized to access said object, wherein upon a 
determination that said attempter is authorized to access said 
object, said method further comprising saving at least part of 
said object_^ 

stalling an attempt to release said object; and 
determining whether said object has changed, wherein upon 
a determination that said object has changed, said method 
further comprising determining if said attempter is authorized 
to change said object , 

2. (Original) The method of Claim 1 wherein upon a 
determination that said attempter is authorized to access said 
object, said method further comprising releasing said attempt. 

3. (Original) The method of Claim 2 wherein upon said 
releasing said attempt, said method further comprising 
determining if access is granted using an access control list. 



4. (Canceled) 



5. (Original) The method of Claim 1 wherein upon a 
determination that said attempter is not authorized to access 
said object, said method further comprising denying said 
attempt . 
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6. (Original) The method of Claim 1 further comprising 
hooking object functionality. 

7. (Original) The method of Claim 6 wherein said object 
functionality comprises functionality associated with creating, 
modifying, or closing said object. 

8. (Original) The method of Claim 6 wherein said hooking 
object functionality comprises hooking a user mode library. 

9. (Original) The method of Claim 6 wherein said hooking 
object functionality comprises hooking a system call table. 

10. (Original) The method of Claim 6 wherein said 
hooking object functionality comprises hooking an object 
manager . 



11-12. (Canceled) 



13. (Original) The method of Claim 6 wherein said 
hooking object functionality comprises hooking object type 
procedures . 



14. (Currently amended) The method of Claim 1 further 
comprising determining whether said attempt to reference an 
object has occurred. 



15-16. (Canceled) 



17. (Currently amended) The method of Claim ^r€—l wherein 
upon a determination that said object has not changed, said 
method further comprising releasing said attempt to release 
said object. 
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18. (Canceled) 



19. (Currently amended) The method of Claim wherein 
upon a determination that said attempter is authorized to 
change said object, said method further comprising releasing 
said attempt to release said object, 

20. (Currently amended) The method of Claim wherein 
upon a determination that said attempter is not authorized to 
change said object, said method further comprising restoring 
said object . 

21. (Original) The method of Claim 20 wherein said 
restoring comprises replacing at least part of said object with 
a saved at least part of said object. 

22. (Currently amended) The method of Claim 1 further 
comprising: 

□tailing an attempt to rclcaoG oaid object originating 
from aaid attempter; 

determining that oaid object has been changed by aaid 
attempter; 

determining that said attempter did not have authority to 
change said object; 

restoring said object comprising: 

restoring a restricted change to said object made by 
said attempter, wherein said attempted is not authorized 
to make said restricted change; and 

allowing a permitted change to said object made by 
said attempter, wherein said attempted is authorized to 
make said pemnitted change ; and 
releasing said attempt. 
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23. (Currently amended) The method of Claim -SS — 1 wherein 
said attempter is a user of a computer system. 

24. (Currently amended) The method of Claim ^3—1 wherein 
said attempter is a process on a computer system. 

25. (Original) The method of Claim 24 wherein said 
process is a kernel mode process. 

26-34. (Canceled) 

35. (Currently amended) A system comprising: 
a memory; 

a means for stalling an attempt to reference an object; 
a means for determining whether an attempter that 
originated said attempt is authorized to access said object; 

a means for saving at least part of said object upon a 
determination that said attempter is authorized to access said 
object_^ 

a means for stalling an attempt to release said object; 



and 



a means for determining whether said object has changed; 
a means for determining if said attempter is authorized to 



change said object upon a determination that said object has 
changed . 
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36. (Currently amended) A computer-program product 
comprising a tangible computer- readable storage medium 
containing computer program code comprising: 

a behavior blocking and monitoring application for 
stalling an attempt to reference an object; and 

said behavior blocking and monitoring application further 
for determining whether an attempter that originated said 
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attempt is authorized to access said object, wherein upon a 
determination that said attempter is authorized to access said 
object, said behavior blocking and monitoring application 
further for saving at least part of said object_^ 

said behavior blocking and monitoring application further 
for stalling an attempt to release said object; and 

said behavior blocking and monitoring application further 
for determining whether said object has changed, wherein upon a 
determination that said object has changed, said behavior 
blocking and monitoring application further for determining if 
said attempter is authorized to change said object . 

37. (Currently amended) A computer system comprising: 
a memory having stored therein a behavior blocking and 

monitoring application; and 

a processor coupled to said memory, wherein execution of 

said behavior blocking and monitoring application generates a 

method comprising: 

stalling an attempt to reference an object; and 
determining whether an attempter that originated said 

attempt is authorized to access said object, wherein upon a 

determination that said attempter is authorized to access said 

object, said method further comprising saving at least part of 

said objectj_ 

stalling an attempt to release said object; and 
determining whether said object has changed, wherein upon 

a determination that said object has changed, said method 

further comprising determining if said attempter is authorized 

to change said object . 
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